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© A method and system for validating access to a 
computer system in an unobtrusive manner. A finite 
ordered series of activities, such as icon manipula- 
tions, application invocations or file manipulations is 
specified and stored for future reference. Thereafter, 
each time access to the computer system is at- 
tempted, the initial activities of a prospective user 
are identified and compared to the stored finite or - 
dered series of activities. Access is validated and 
continued access permitted in response to a match 
between the prospective user's initial activities and 
the stored finite ordered series of activities. In this 
manner, access to a computer system may be vali - 
dated without the necessity of utilizing an explicit 
access/password screen which may be compro - 
mised. In one embodiment of the present invention, 
a selected application may be automatically invoked 
or a particular activity automatically executed in re - 
sponse to a validation of access. 
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The present invention relates in general to the 
field of computer system security and in particular 
to a method and system for validating access to a 
computer system by a selected user. Still more 
particularly, the present invention relates to a 
method and system for validating access to a 
computer system by a selected user in an un - 
obtrusive manner. 

Computer system security schemes are well 
known in the prior art. The most common security 
system employed typically utilizes a so-called 
"password" system which associates a specific 
alphanumeric character string with a particular 
user. Upon an attempted access of a computer 
system or a selected application by that user, a 
"password screen" is typically displayed and the 
user must thereafter enter the correct alphanumeric 
character string in order to validate his or her 
access. Password systems are widely utilized in 
low security systems; however, they are not often 
utilized in more demanding situations. The display 
of a password screen is an indication to an un - 
authorized user that the entry of a password is 
required for entry to the system. So-called com- 
puter "hackers" have employed many different 
schemes to determine the proper alphanumeric 
character string necessary to obtain access to a 
password protected computer system. Obtaining 
physical copies of a password from the vicinity of 
the computer terminal or utilizing computer ap - 
plications which rapidly try all possible combina - 
tions of alphanumeric character strings are but two 
techniques utilized by such people. More sophisti - 
cated computer security systems utilize unique 
physical characteristics such as fingerprints, retina 
patterns or voice pattern recognizers to ensure that 
computer system access is restricted to selected 
users. Still more stringent systems utilize physical 
security and limit physical access to computer 
terminals by utilizing guards or other security sys - 
terns. Such systems provide a great deal more 
security; however, the cost associated with the 
required hardware devices is quite considerable. It 
should therefore be apparent that a need exists for 
a computer access validation system which permits 
user access to be selectively controlled in an un - 
obtrusive manner while providing a level of security 
similar to that provided by password systems. 

It is therefore one object of the present inven - 
tion to provide an improved security system for use 
with a computer system. It is another object of the 
present invention to provide an improved method 
and system for validating access to a computer 
system by a selected user. It is yet another object 
of the present invention to provide an improved 
method and system for validating access to a 
computer system by a selected user in an un- 
obtrusive manner. The foregoing objects are 



achieved by the inventions claimed. According to 
the invention a finite ordered series of substantive 
activities, such as icon manipulations, application 
invocations or file manipulations is specified and 

5 stored for future reference. Thereafter, each time 
access to the computer system is attempted, the 
initial activities of a prospective user are identified 
and compared to the stored finite ordered series of 
substantive activities. Access is validated and 

w continued access permitted in response to a match 
between the prospective user's initial activities and 
the stored finite ordered series of substantive ac- 
tivities. In this manner, access to a computer sys - 
tern may be validated without the necessity of 

75 utilizing an explicit access/password screen which 
may be compromised. In one embodiment of the 
present invention, a selected application may be 
automatically invoked or a particular activity auto - 
matically executed in response to a validation of 

20 access. 

The novel features believed characteristic of 
the invention are set forth in the appended claims. 
The invention itself however, as well as a preferred 
mode of use, further objects and advantages 

25 thereof, will best be understood by reference to the 
following detailed description of an illustrative em - 
bodiment when read in conjunction with the ac- 
companying drawings, wherein: 

Figure 1 is a pictorial representation of a dis - 

30 tributed data processing system wherein access 

thereto may be controlled and validated utilizing 
the method and system of the present invention; 
Figure 2 is a high level flowchart illustrating the 
establishment of an access validation method 

35 and system in accordance with the present in - 

vention; and 

Figure 3 is a high level flowchart illustrating the 
validation of access to a computer system uti - 
lizing the method and system of the present 

40 invention. 

With reference now to the figures and in par- 
ticular with reference to Figure 1 , there is depicted 
a pictorial representation of a distributed data pro - 
cessing system 8 wherein access thereto may be 

45 controlled and validated utilizing the method and 
system of the present invention. As may be seen, 
distributed data processing system 8 may include 
a plurality of networks, such as Local Area Net- 
works (LAN) 10 and 32, each of which preferably 

50 includes a plurality of individual computers 12 and 
30, respectively. Of course, those skilled in the art 
will appreciate that a plurality of Intelligent Work 
Stations (IWS) coupled to a host processor may be 
utilized for each such network. As is common in 

55 such data processing systems, each individual 
computer may be coupled to a storage device 14 
and/or a printer/output device 16. One or more 
such storage devices 14 may be utilized, in ac - 
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cordance with the method and system of the 
present invention, to store the various applications 
or documents which may be periodically accessed 
and processed by a user whose access to such 
applications or documents has been controlled and 
validated utilizing the method and system of the 
present invention. Further, one or more such stor- 
age devices 14 may be utilized, as will be ex- 
plained in greater detail herein, to store a specified 
finite ordered series of substantive activities which 
may be utilized to validate the access of a user to 
the computer in accordance with the method and 
system of the present invention. 

Still referring to Figure 1 , it may be seen that 
distributed data processing network 8 may also 
include multiple mainframe computers, such as 
mainframe computer 18, which may be preferably 
coupled to Local Area Network (LAN) 10 by means 
of communications link 22. Mainframe computer 18 
may be coupled to a storage device 20 which may 
serve as remote storage for Local Area Network 
(LAN) 10 and may be coupled via communication 
link 24 through a communications controller 26 and 
communications link 34 to a gateway server 28. 
Gateway server 28 is preferably an individual 
computer or Intelligent Work Station (IWS) which 
serves to link Local Area Network (LAN) 32 to 
Local Area Network (LAN) 10. 

As discussed above with respect to Local Area 
Network (LAN) 32 and Local Area Network (LAN) 
10, a plurality of data objects, applications or doc- 
uments may be stored within storage device 20 
and controlled by mainframe computer 18, as Re- 
source Manager or Library Service for the data 
objects and documents thus stored. Those skilled 
in the art will appreciate that it is often desirable to 
control access to such data objects, applications or 
documents by permitting only selected users to 
access, alter, or delete such documents. Addition - 
ally, those skilled in the art will appreciate that 
mainframe computer 18 may be located a great 
geographical distance from Local Area Network 
(LAN) 10 and similarly Local Area Network (LAN) 
10 may be located a substantial distance from 
Local Area Network (LAN) 32. That is, Local Area 
Network (LAN) 32 may be located in California, 
while Local Area Network (LAN) 10 may be located 
within Texas and mainframe computer 18 may be 
located in New York. As will be appreciated upon 
reference to the foregoing, it is often desirable for 
users within one portion of distributed data pro - 
cessing network 8 to access a particular data ob - 
ject, application or document from another portion 
of distributed data processing network 8. However, 
as discussed above, access to selected data ob- 
jects, applications or documents may preferably be 
controlled utilizing the method and system of the 
present invention, such that only selected users 



may access, alter, or copy such data objects, ap - 
plications or documents. Referring now to Figure 2, 
there is depicted a high level flowchart which il - 
lustrates the establishment of an access validation 

5 method and system in accordance with the present 
invention. As illustrated, the process begins at 
block 50 and thereafter passes to block 52 which 
depicts a determination of whether or not access 
control is desired. In the event access control to a 

w selected computer application or system is not 
desired, the process merely passes to block 66 
and terminates, as illustrated. Still referring to block 
52, in the event access control to a particular 
computer application or system is desired, the 

75 process passes to block 54. Block 54 illustrates the 
identification of a particular user for whom access 
control and validation is desired. Next, the process 
passes to block 56, which depicts the specifying of 
a finite ordered series of substantive activities 

20 which must be performed by the user in order to 
validate continued access to the computer system 
or application. As set forth within the present 
specification, the term "substantive" with reference 
to selected activities within a computer system * ^ 

25 shall refer to activities having substantive effect * 
within a computer system or application rather than 
the mere entry of an arbitrary alphanumeric key ^ 
sequence, such as is typically utilized in a pass- 
word process. For example, "substantive" activities 

30 may include such activities as the invocation of a * - 

particular application, the manipulation of a se- 
lected file, the manipulation of a particular icon or 
the utilization of a peripheral system, such as the 
selection of a telephone system which is asso - * 

35 ciated with the computer system. After specifying a 
finite ordered series of substantive activities which 
will be utilized to control and validate access to a 
computer system or computer application, in ac - 
cordance with the method and system of the 

40 present invention, that specified activity series is 
stored, as depicted at block 58. Next, the process 
passes to block 60 which illustrates a determination 
of whether or not automatic invocation/execution is 
desired in conjunction with the access control and 

45 validation system of the present invention. Such 
automatic invocation/execution may be utilized to 
automatically invoke a particular application or ex - 
ecute a selected activity upon the occurrence of 
access validation in accordance with the method 

so and system of the present invention. The applica- 
tion invoked or the activity executed may be totally 
unrelated to the specified finite ordered series of 
substantive activities which are utilized to validate 
access, as will be explained in greater detail here- 

55 in. If no automatic invocation/execution is desired, 
the process again passes to block 66 and termi - 
nates, as illustrated. Referring again to block 60, in 
the event an automatic invocation/execution is de- 
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sired, the process passes to block 62 which de- 
picts the specifying of the particular application or 
activity which will be automatically invoked or ex- 
ecuted in response to a validation of access by a 
particular user. Thereafter, as illustrated at block 
64, the specified application or activity is stored 
and the process then terminates, as depicted at 
block 66. With reference now to Figure 3, there is 
depicted a high level flowchart illustrating the con - 
trol and validation of access to a computer system 
utilizing the method and system of the present 
invention. As illustrated, the process begins at 
block 70 and thereafter passes to block 72. Block 
72 depicts a determination of whether or not an 
access to the selected computer system and/or 
computer application have been attempted and if 
not, the process merely iterates until such time as 
an access is attempted. After an access to the 
selected computer system or computer application 
is attempted, as determined at block 72, the pro - 
cess passes to block 74. Block 74 illustrates the 
granting of apparent access to the computer sys - 
tern or computer application. Those skilled in the 
art will appreciate that "apparent" access to a 
computer system may mean total access to a 
limited, predetermined set of resources, such as 
applications, documents or the like. Thereafter, the 
process passes to block 76. Block 76 illustrates the 
identification of the initial activities of a user after 
apparent access to the computer system or com - 
puter application has been granted. Next, the pro- 
cess passes to block 78 which illustrates a com - 
parison to determine whether or not the initial ac - 
tivities of the user match the stored specified finite 
ordered series of substantive activities which has 
been previously stored as depicted at block 58 
(see Figure 2). If the initial activities of the user do 
not match the stored specified finite ordered list of 
substantive activities previously determined for a 
particular user, the process passes to block 80 
which illustrates the termination of access by that 
user to the computer system or computer applica- 
tion and the process then terminates, as depicted 
in block 82. 

Referring again to block 78, in the event the 
initial activities of a user after apparent access has 
been granted match the stored specified finite or - 
dered list of substantive activities stored within the 
system, the process passes to block 84 which 
illustrates the validation of continued access to the 
system or application by that user. Validation of 
continued access to the system may mean merely 
permitting continued access or, alternatively, vali - 
dation may permit a user to access a previously 
nonaccessible group of resources. Next, the pro- 
cess passes to block 86. Block 86 illustrates a 
determination of whether or not automatic 
invocation/execution upon a validation of access 



has been selected for the particular user in ques- 
tion. If so, the process passes to block 90 which 
illustrates the automatic invocation of a selected 
application or the automatic execution of a par- 

5 ticular activity. In the event automatic 
invocation/execution is not selected or after auto - 
matically invoking a particular application or ex - 
ecuting a selected activity, the process passes to 
block 88 which illustrates the continued access to 

jo the computer system or application by the user. 

Upon reference to the foregoing those skilled in 
the art will appreciate that the a novel method and 
system are herein provided whereby access to a 
particular computer system or computer application 

75 may be controlled and validated through recogni - 
tion of a series of substantive activities, or a se - 
lected process. Thus, a user wishing to gain ac - 
cess to confidential files stored within a Local Area 
Network (LAN) server, Resource Manager or Li - 

20 brary Server may be required to perform a specific 
finite ordered set of substantive activities prior to 
being allowed to gain access. The method and 
system of the present invention permits apparent 
access to the system to be granted to a particular 

25 user and thereafter identifies the initial activities of 
the user within that system. For example, a pro- 
cess which permits access may require a user to 
invoke a timer application, followed by making a 
phone call to a phone system, followed by drag - 

30 ging an arbitrary icon across a confidential files 
icon, followed by "triple clicking" utilizing a mouse 
pointer on the confidential files icon. By identifying 
a selected series of ordered substantive activities, 
such as those described above, access to the 

35 confidential files may be controlled and validated. 
Further, the validation of continued access to a 
computer system or application may be easily uti - 
lized to invoke a selected process or execute a 
particular activity which may otherwise require ex - 

40 plicit invocation. For example, a user desiring to 
upload a particular group of confidential files may 
be required to perform a totally unrelated series of 
substantive activities, the completion of which 
automatically will invoke the uploading process. A 

45 failure of the user to perform the specified finite 
ordered series of substantive activities can result in 
a termination of access or a simple denial of ac- 
cess to the particular files in question. In this 
manner, an unauthorized user having access to a 

50 particular terminal may be denied access despite 
the possession of a particular password without 
explicitly realizing that an access control scenario 
has been utilized. By controlling and validating 
access to a computer system utilizing a series of 

55 substantive activities which may be performed by 
any user within the computer system, the security 
of the computer system or a computer application 
are assured in a highly unobtrusive manner. 
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Claims 

1. A method for validating access to a computer 
system by a selected user in an unobtrusive 
manner, said method comprising the steps of: 

specifying a finite ordered series of ac- 
tivities which may be performed by a user 
within said computer system (56); and 

validating continued access to said com - 
puter system by said selected user in re- 
sponse to a performance by said selected user 
of said specified finite ordered series of ac- 
tivities (76, 78, 84). 

2. The method of validating access to a computer 
system by a selected user according to claim 
1, further including the step of allowing ap- 
parent access (74) to said computer system by 
a selected user. 

3. The method of validating access to a computer 
system by a selected user according to any 
proceeding claims, further including the step of 
storing an indication of said specified finite 
ordered series of activities (58) within said 
computer system. 

4. The method of validating access to a computer 
system by a selected user according to any 
proceeding claims, wherein said finite ordered 
series of activities have substantive effect 
within the computer system other than the 
mere entry of an arbitrary alphanumeric key 
sequence. 

5. The method of validating access to a computer 
system by a selected user according to claims 
from 2 to 4, wherein said step of allowing 
apparent access (74) to said computer system 
by a selected user comprises the step of al - 
lowing said selected user to access only a 
predetermined set of resources within said 
computer system (86, 88, 90). 

6. The method of validating access to a computer 
system by a selected user according to any 
proceeding claims, wherein said specified finite 
series of activities (56) which may be per- 
formed by a user within said computer system 
includes at least one invocation of an applica - 
tion within said computer system (86, 90). 

7. The method of validating access to a computer 
system by a selected user according to claim 
6, further including the step of automatically 
invoking a specified application (86) within said 
computer system in response to said validation 
of access (84) to said computer system. 



8. The method of validating access to a computer 
system by a selected user according to claims 
6 or 7, further including the step of automati - 
cally executing a specified activity (86) within 

s said computer system in response to said 

validation of access (84) to said computer 
system. 

9. A system for validating access to a computer 
w (18) by a selected user in an unobtrusive 

manner, said system comprising: 

memory means associated with said 

computer (20); 

means for storing (58) within said memory 
15 means an indication of a finite ordered series 

of activities which may be performed by a user 

within said computer; and 

access control means for validating con - 

tinued access (84) to said computer by said 
20 selected user in response to a performance by 

said selected user of said finite ordered series 

of activities. 

10. The system for validating access to a com - 
25 puter by a selected user in an unobtrusive 

manner according to claim 9, wherein said 
system further includes access means for al - 
lowing apparent access to said computer by a 
selected user (74); 

30 

11. The system for validating access to a com- 
puter by a selected user in an unobtrusive 
manner according to claims 9 or 10 T wherein 
said finite ordered series of activities have 

35 substantive effect within the computer system 

other than the mere entry of an arbitrary al - 
phanumeric key sequence. 

12. The system for validating access to a com - 
40 puter by a selected user in an unobtrusive 

manner according to claims from 9 to 11, 
wherein said finite ordered series of activities 
includes at least one invocation of an applica- 
tion within said computer and wherein said 
45 system further includes means for automati - 

cally invoking a specified application (86, 90) 
within said computer system in response to 
validating continued access to said computer. 

so 13. The system for validating access to a com - 
puter by a selected user in an unobtrusive 
manner according to claims from 10 to 12, 
wherein said access means for allowing ap - 
parent access (74) to said computer system by 

55 a selected user comprises access means for 

allowing said selected user to access only a 
predetermined set of resources within said 
computer system (78). 
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14. The system for validating access to a com- 
puter by a selected user in an unobtrusive 
manner according to claims from 9 to 13, 
wherein said finite ordered series of activities 
includes at least one invocation of an applica - 5 
tion (86, 90) within said computer and wherein 
said system further includes means for auto - 
matically executing a specified application (90) 
within said computer system in response to 
validating continued access to said computer. w 
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